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Executive Order 12958, as amended, “Classified National Security Information,” and Executive Order 
12829, as amended, “National Industrial Security Program ” The Information Security Oversight Office 
(ISOO) is a component of the National Archives and Records Administration (NARA) and receives its 
policy and program guidance from the National Security Council (NSC). 



ISOO oversees the security classification programs in both Government and industry and reports annually 
to the President on their status. 



• Develops implementing directives and instructions. 

• Maintains liaison with agency counterparts and conducts on-site reviews and special document 
reviews to monitor agency compliance. 

• Develops and disseminates security education materials for Government and industry; monitors 
security education and training programs. 

• Receives and takes action on complaints, appeals, and suggestions. 

• Collects and analyzes relevant statistical data and, along with other information, reports them 
annually to the President. 

• Serves as spokesperson to Congress, the media, special interest groups, professional organizations, 
and the public. 

• Conducts special studies on identified or potential problem areas and develops remedial approaches 
for program improvement. 

• Recommends policy changes to the President through the NSC. 

• Provides program and administrative support for the Interagency Security Classification Appeals 
Panel (ISCAP). 

• Provides program and administrative support for the Public Interest Declassification Board (PIDB). 

• Reviews requests for original classification authority from agencies. 

• Chairs interagency meetings to discuss matters pertaining to both Executive orders. 

• Reviews and approves agency implementing regulations and agency guides for systematic 
declassification review. 



• Promotes and enhances the system that protects the national security information that safeguards the 
American Government and its people. 

• Provides for an informed American public by ensuring that the minimum information necessary to 
the interest of national security is classified and that information is declassified as soon as it no longer 
requires protection. 

• Promotes and enhances concepts that facilitate the sharing of information in the fulfillment of 
mission-critical functions related to national security. 

• Provides expert advice and guidance pertinent to the principles of information security. 
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Letter to tlie P resident 



January 12, 2009 

The President 
The White House 
Washington, DC 20500 

Dear Mr. President: 

I am pleased to submit the Information Security Oversight Office’s (ISOO) Report to the President for 
Fiscal Year 2008. 

This report provides information on the status of the security classification program as required by 
Executive Order 12958, as amended, “Classified National Security Information.” It provides statistics 
and analysis concerning key components of the system, primarily classification and declassification, and 
coverage of ISOO’s on-site reviews. It also contains information with respect to industrial security in the 
private sector as required by Executive Order 12829, as amended, “National Industrial Security Program.” 

Our oversight efforts continue to identify shortcomings in agency implementation of basic requirements. 
Of particular concern are requirements related to implementing directives, security education and 
training, classification guides, and self-inspections. For example, we determined that 67 percent of all 
Executive branch classification guides have not been reviewed and updated as required within the last 
five years. Such failures are tied to requirements that have been in effect since 2003 and in many cases 
since 1995. At a time where we would expect to find increasing stability in the program, we are instead 
finding failure with the implementation of basic requirements. 

The security classification system is not self-directing and works only when agency heads demonstrate 
personal commitment and direct senior management and resources to make it work. Increased 
commitment to the basic requirements throughout the Executive branch is clearly necessary to support 
the integrity of the classification system. 

Executive Order 12958, as amended, has served the country well in terms of protecting national security 
information and enabling declassification at a level that an open society expects and deserves. However, 
further refinement is necessary, particularly to address the ways in which classified information is created 
and used in today’s electronic environment and to address the processing of multi-agency materials 
subject to automatic declassification. This last issue is of particular importance given the looming 
associated deadline of December 31, 2009. 

We remain committed to cultivating the inherent strengths of the classified national security information 
program. ISOO will work with the agencies that create and handle classified national security 
information to further improve the program in the future. 



Respectfully, 




William J. Bosanko 
Director 
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Summary of Fiscal Year 2008 
P rogram Activity 

Classification Declassification 



• Executive branch agencies reported 4,109 
original classification authorities. 

• Agencies reported 203,541 original 
classification decisions. 

• Agencies reported using the ten-year-or-less 
declassification instruction for 58 percent of 
original classification decisions. 

• Executive branch agencies reported 23,217,557 
derivative classification decisions. 

• Agencies reported 23,421,098 combined 
classification decisions. 

• Sixty-seven percent of the classification guides 
reported as being currently in use had not been 
updated within the past five years as required by 
E.O. 12958, as amended. 



• Under automatic declassification and systematic 
declassification review, agencies declassified 
31,443,552 pages of historically valuable records. 

• There are an estimated 5 1 million referred pages 
requiring review by December 31, 2009. ISOO is 
not confident agencies will meet this deadline. 

• Agencies received 8,264 initial mandatory 
declassification review requests, the highest 
ever reported. 

• Under mandatory declassification review, agencies 
declassified 190,291 pages in their entirety, 
declassified 50,219 pages in part, and retained 
classification of 20,774 pages in their entirety. 

• Agencies reported carrying over 5,843 initial 
mandatory declassification review requests into 
FY 2009. 

• Agencies received 196 mandatory declassification 
review appeals and processed 178 appeals, the 
largest number of appeals processed in a single 
fiscal year since the issuance of E.O. 12958 in 1995. 

• On appeal, agencies declassified 1,189 pages in 
their entirety, 1,501 pages in part, and retained 
classification of 3,782 pages in their entirety. 



2008 Report to the President • 1 



Classification 



Original Classifiers 

O riginal classification authorities (OCAs), 
also called original classifiers, are those 
individuals designated in writing, either 
by the President, by selected agency heads, or by 
designated senior agency officials with Top Secret 
original classification authority, to classify information 
in the first instance. Under E.O. 12958, as amended, 
only original classifiers determine what information, 



if disclosed without authorization, could reasonably 
be expected to cause damage to national security. 
Original classifiers must be able to identify or describe 
the damage. Agencies reported 4,109 OCAs in 
FY 2008, decreasing from 4,128 reported in FY 2007. 
This is less than the average number of OCAs for 
FY 1980 - FY 2007 (5,447) and significantly less than 
the number ISOO first reported for FY 1980 (7,149). 



Original Classification Authorities, FY 2008 




Top Secret Secret Confidential TOTAL 
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Number of Original Classification Authorities, FY 1980 - FY 2008 
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Original Classification Activity, FY 2008 
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Original Classification 

O riginal classification is an initial determination 
by an OCA that information owned by, 
produced by or for, or under the control of 
the United States Government, requires protection 
because unauthorized disclosure of that information 
could reasonably be expected to cause damage to 
national security. Additionally, the process of original 



classification must always include a determination by 
an OCA of the concise reason for the classification that 
falls within one or more of the authorized categories of 
classification, the placement of markings to identify the 
information as classified, and the date or event when 
the information becomes declassified. By definition, 
original classification precedes all other aspects of 
the security classification system, including derivative 
classification, safeguarding, and declassification. 



Original Classification Activity, FY 1989 - FY 2008 




4 • Information Security Oversight Office 



Agencies reported 203,541 original 
classification decisions for FY 2008, 
which is a 13 percent decrease from 
data reported in FY 2007. This is a 
60 percent decrease from the 507,794 
decisions reported in FY 1989. From 
FY 1996, when E.O. 12958 was first 
implemented, to FY 2007 the annual 
average is 214,919. 

For the fourth year in a row, the 
majority of original classification 
decisions have been assigned a 
declassification date of ten years or 
less. In FY 2008, the ten-year-or- 
less declassification instruction was 
used 58 percent of the time, which 
is slightly higher than the 57 percent 
reported in FY 2007. The numbers 
illustrate OCAs are not automatically defaulting to 
the maximum duration available (25 years), which is 
in keeping with the spirit and intent of E.O. 12958, 
as amended. 



Duration of Original Classification, FY 2008 
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Derivative Classification Activity, FY 2008 
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Derivative Classification 

D erivative classification is the act of 

incorporating, paraphrasing, restating, or 
generating in new form information that is 
already classified. Information may be derivatively 
classified in two ways: (1) through the use of 
a source document, usually correspondence or 
publications generated by an OCA; or (2) through 
the use of a classification guide. A classification 
guide is a set of instructions issued by an OCA that 
identifies the elements of information regarding 
a specific subject that must be classified and 
establishes the level and duration of classification 
for each such element. Only employees of the 
Executive branch or Government contractors 
with the appropriate security clearance, who are 
required by their work to restate classified source 
information, may classify derivatively. 

Derivative classifications utilize information from 
the original category of classification, and they 
may also utilize the same classified elements of 
information in a variety of formats and venues. 
Since every derivative classification action is based 



on information whose classification has already been 
determined, it is essential that the origin of these 
actions be traceable to a decision by an OCA. 

Agencies reported a total of 23,217,557 derivative 
classification actions in FY 2008, which is a one 
and a half percent increase from the 22,868,618 
derivative actions reported in FY 2007. Although 
it is encouraging to see the level of derivative 
classification leveling off, this figure represents 
a significantly larger number than the derivative 
average from FY 1996 - FY 2007 (16,973,690). 

The increase in derivative classification decisions 
is reflective of how agencies conduct business in 
the current electronic environment, and should not 
necessarily be interpreted as the creation of more 
secrets. Methods of communicating electronically 
have expanded significantly, to include classified 
web pages, blogs, wikis, bulletin boards, instant 
messaging, etc. Additionally, information sharing 
and its attendant policies have been a factor as well. 
Classified products are now disseminated to more 
consumers, and agencies are leveraging all forms of 
online tools to publish, inform, and collaborate. 
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Combined Classification 

ogether, original and derivative classification 
decisions make up combined classification 
activity. In FY 2008, the reported combined 
classification activity is 23,421,098 which is a one 
percent increase over the 23,102,257 decisions 



reported for FY 2007. The average combined 
classification activity from FY 1996 (the first 
fiscal year following the issuance of E.O. 12958) 
to FY 2007 is 12.2 million decisions per year. 
From FY 1980 through FY 1996, the annual 
average for combined classification was 11.5 
million decisions per year. 
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Classification Challenges 



Self-Inspections 

I n order to maintain the integrity of the classification 
system, it is vital that agencies conduct internal 
oversight in order to promote sound information 
security practices. While E.O. 12958, as amended, 
authorizes ISOO to conduct on-site inspections of 
those agencies that generate and handle classified 
information, it places primary responsibility for 
internal oversight on the agency heads and senior 
agency officials. E.O. 12958, as amended, requires 
agency heads to establish and maintain “an ongoing 
self-inspection program, which shall include the 
periodic review and assessment of the agency’s 
classified product.” Agencies reported 8,604 self- 
inspections in FY 2007 and 7,289 self-inspections 
in FY 2008. A strong self-inspection program is 
indicative of a robust classification security program. 
Agencies must adopt responsible security practices by 
adopting the internal oversight mechanisms required 
by E.O. 12958, as amended. 



A nother internal mechanism to promote sound 
classification decisions is the classification 
challenge provision established by section 
1.8 of E.O. 12958, as amended. Authorized holders 
of information who, in good faith, believe its 
classification status is improper are encouraged 
and expected to challenge the classification status 
of that information. Classification challenges are 
handled both informally and formally, and provide 
individual holders the responsibility to question the 
appropriateness of the classification of information 
in accordance to E.O. 12958, as amended. However, 
ISOO’s program reviews have revealed that most 
authorized holders of classified information are 
not aware of this provision and, therefore, do not 
challenge classification as much as should be 
expected in a robust system. Agencies reported 275 
formal classification challenges in FY 2007 and 436 
formal classification challenges in FY 2008. 
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Declassification 



Background 

D eclassification is an integral part of the security 
classification system. It is the authorized 
change in status of information from classified 
to unclassified. Executive Order 12958, as amended, 
establishes three declassification programs: automatic 
declassification, systematic declassification review, 
and mandatory declassification review. Agencies must 
commit necessary resources in order to effectively 
implement these programs. Automatic declassification 
removes the classification of information at the close 
of every calendar year when that information reaches 
the 25-year threshold. Systematic declassification 
review is required for classified records less than 
25 years old and those exempted from automatic 
declassification. For purposes of this report, statistics 
reported for systematic declassification review and 
automatic declassification are combined because the 



execution of both programs is usually indistinguishable. 
Mandatory declassification review provides for direct, 
specific review for declassification of information when 
requested. Together these three programs are essential 
to the viability of the classification system and vital to 
an open government. 

Pages Reviewed and 
Pages Declassified 

D uring FY 2008, the Executive branch 

reviewed 51,454,240 pages for declassification 
under sections 3.3 and 3.4 of E.O. 12958, as 
amended. Moreover, the Executive branch declassified 
31,443,552 pages under the automatic and systematic 
declassification review provisions. 



1.4 Billion Pages Declassified, FY 1980 - FY 2008* 




1994 

* Excluding Mandatory Declassification Review 
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Total Number of Pages Reviewed* 
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FY 2007 
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FY 2008 



As detailed below, the overall number of pages 
reviewed and pages declassified by Executive branch 
agencies has declined significantly from previous 
years. Agencies have reviewed 14 percent fewer 
pages and have declassified 16 percent fewer pages 
than in FY 2007. This decline in declassification 
activity across the Executive branch can be 
attributed to the passing of the December 31, 2006, 
deadline for automatic declassification for all 
material 25 years of age or older. Significant effort 
and resources were allocated in the first quarter of 
FY 2007 to reviewing records in anticipation of 
this deadline. However, in FY 2008, the focus of 
most agency declassification activity was narrow 
and limited to records created in the early 1980s. 

Although the overall volume of records reviewed 
and declassified has significantly decreased, the 
total declassification rate of all records reviewed 
by the Executive branch only declined by 1 
percent from FY 2007 to FY 2008. In FY 2008, 
agencies declassified 61 percent of pages reviewed. 
Although the volume of records reviewed and 
declassified after the December 31, 2006, deadline 
has decreased, agencies of the Executive branch 
continue to declassify records at a steady rate. 



The Department of Defense (DOD), the 
Department of the Navy (Navy), the Department 
of the Army (Army), and the Department of 
the Air Force (Air Force), reviewed 37,821,379 
pages, or 74 percent of the total number of 
pages reviewed by all agencies. Of the 31.4 
million pages declassified by agencies, DOD 
and the three military departments declassified 
24,516,362 pages which accounts for 78 
percent of the total pages declassified. 

Navy declassified 8,847,188 pages, leading all 
Executive branch agencies in the number of pages 
declassified during FY 2008. This represents a 
declassification rate of 75 percent. Of those agencies 
with large declassification programs, Air Force 
had the highest declassification rate at 82 percent 
(declassifying 4,909,047 pages). 

Agencies will need to continue to devote resources 
to all three declassification programs as stipulated 
in E.O. 12958, as amended. In accordance with the 
systematic declassification review requirements, 
agencies now need to devote substantially more 
resources to review those records that were exempted 
from automatic declassification since 1995. 
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